CVE-2024-9355

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

Weakness

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

Affected Software

Name	Vendor	Start Version	End Version
Red Hat Enterprise Linux 7 Extended Lifecycle Support	RedHat	rhc-worker-script-0:0.10-2.el7_9	*
Red Hat Enterprise Linux 8	RedHat	go-toolset:rhel8-8100020241001112709.a3795dee	*
Red Hat Enterprise Linux 8	RedHat	grafana-0:9.2.10-20.el8_10	*
Red Hat Enterprise Linux 8	RedHat	grafana-pcp-0:5.1.1-9.el8_10	*
Red Hat Enterprise Linux 9	RedHat	golang-0:1.21.13-4.el9_4	*
Red Hat Enterprise Linux 9	RedHat	grafana-0:9.2.10-19.el9_4	*
Red Hat Enterprise Linux 9	RedHat	osbuild-composer-0:132-1.el9	*
Red Hat Enterprise Linux 9	RedHat	git-lfs-0:3.6.1-1.el9	*
Red Hat Enterprise Linux 9.4 Extended Update Support	RedHat	grafana-pcp-0:5.1.1-4.el9_4	*
Satellite Client 6 for RHEL 10	RedHat	foreman_ygg_worker-0:0.3.1-1.el10sat	*
Satellite Client 6 for RHEL 8	RedHat	foreman_ygg_worker-0:0.3.1-1.el8sat	*
Satellite Client 6 for RHEL 9	RedHat	foreman_ygg_worker-0:0.3.1-1.el9sat	*
Streams for Apache Kafka 2.9.0	RedHat	golang-github-danielqsj-kafka_exporter	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2024-9355
CWE	https://cwe.mitre.org/data/definitions/457.html

Use of Uninitialized Variable

Weakness

Affected Software

Potential Mitigations

References